Learning how to reverse engineer Android applications is a great way to review source code and identify malicious
intents or potential vulnerabilities within closed binary files. With the right tools and a little know-how, it's a surprisingly straightforward undertaking for information security professionals to sniff out security weaknesses, such as format strings, buffer overflows and unrestricted permissions in Android applications.
First, you need to be familiar with the anatomy of an Android application. Android code is typically Java, and the application is delivered as an Android package (APK) using a compressed file format such as ZIP (though the extension is renamed .apk). Once unzipped, the root directory will contain folders with the application resources, along with a signature file. Every Android application root directory must also contain a binary XML file named AndroidManifest.xml, which communicates essential information about the application to the Android system.
Access the Android APK from a phone
Before you begin reverse engineering the application, you'll want to back it up to an SD card. There are a number of tools you can use to do this, including APKoptic and Astro File Manager with Cloud. (For this demo, we'll be using the free Santoku-Linux distribution, which includes open source security tools and utilities for analyzing Android applications.)As shown in Figure 1 to start accessing the Android APK, you'll run two commands using the Android Debug Bridge (adb) tool:
- adb shell pm list packages
- adb pull /data/app/package-name-1.apk
Figure 1. To get the Android package from a device, you can use tools such as Android Debug Bridge to run a list packages command. (Source: viaForensics)
Get the APK from Google
You can also download the Android APK from Google Play. There are two ways to do this:
2. A Web service or browser extension such as the following:
Now that you have the APK, it's time get your hands dirty.
Disassemble the APK
To start taking apart the application, you'll first need the Android-apktool, an open source multi-platform utility that will allow you to decode resources to their original form and rebuild after modification. It can transform Android’s binary Dalvik bytecode (classes.dex) into Smali source code as shown in Figure 2. Smali is an assembler code for the DEX (Dalvik EXecutable) format used by the Dalvik Virtual Machine, an integral part of the Android which runs the applications on the operating system.
Figure 2. The Android-apktool transforms Dalvik bytecode into Smali source code. (Source: viaForensics)
Translate the APK to Java
To decompile the Android APK, you'll want to use the dex2jar tool, which converts Dalvik bytecode (DEX) to Java bytecode (Java Archive file format also known as JAR). This allows you to use any existing Java decompiler with the resulting JAR file. (See Figure 3.)
Figure 3. Dex2jar converts Dalvik bytecode to Java bytecode. (Source: viaForensics)
Some useful Java decompilers include:
Transforming DEX to JAR loses important metadata useful to the decompiler. Pure Dalvik decompilers go directly from DEX to Java and thus produce better results. There aren't as many choices for Android decompilers, but useful ones include:
Analyze code for vulnerabilities
And that's it. The reverse engineering is complete. The Java code is now accessible, allowing you to check it against known malware databases and run scripts to detect malicious code.
About the author: Andrew Hoog is CEO and co-founder of viaForensics. As a mobile security researcher and computer scientist, he has spoken at major banking, security and forensic conferences. He is the author of two books on security, iPhone and iOS Forensics and Android Forensics, and has two patents pending in the areas of forensics and data recovery. Mr. Hoog holds a bachelor of arts degree in computer science from Saint Louis University and is completing a master of business administration degree from University of Chicago’s Booth School of Business.